Documentation | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Forcepoint DLP Predefined Policies and Classifiers > Data Loss Prevention policies > Regulations, Compliance and Standards > United States of America - State Privacy Regulations
United States of America - State Privacy Regulations
Predefined Policies and Classifiers | Forcepoint DLP | 8.7.2
Policies for promoting compliance with various states' privacy regulations
*
Alabama Information ProtectionKentucky Data Breach Notification
*
Alaska Personal Information Protection Act
*
Arizona Data Breach Notification Law
*
Arkansas Personal Information Protection Act
*
California Consumer Privacy Act (CCPA)
*
Colorado Consumer Protection Act
*
Connecticut Data Breach Notification Act
*
Delaware Data Breach Notification
*
District of Columbia Security Breach Notification Act
*
Florida Information Protection Act
*
Georgia Personal Data Security Act
*
Hawaii Security Breach of Personal Information
*
Idaho Data Breach Notification
*
Illinois Personal Information Protection Act
*
Indiana Disclosure of Security Breach law
*
Iowa Data Breach Notification Law
*
Kansas Protection of Consumer Information
*
Kentucky Data Breach Notification
*
Louisiana Data Breach Notification
*
Maine Data Breach Notification Law
*
Maryland Personal Information Protection Act
*
Massachusetts Protection of Personal Information
*
Michigan Identity Theft Protection Act
*
Minnesota Data Breach Notification
*
Mississippi Data Breach Notification
*
Missouri Breach Notification Law
*
Montana Data Breach Notification Statute
*
Nebraska Notification of Data Security Breach Act
*
Nevada Security of Personal Information
*
New Hampshire Notice of Security Breach
*
New Jersey Personal Information and Privacy Protection Act
*
New Mexico Data Breach Notification Act
*
New York Data Security Act
*
North Carolina Identity Theft Protection Act
*
North Dakota Data Breach Notification
*
Ohio Data Security Breach Notification Law
*
Oklahoma Security Breach Notification Act
*
Oregon Consumer Identity Theft Protection Act
*
Pennsylvania Breach of Personal Information Notification Act
*
Puerto Rico Data Breach Notification
*
Rhode Island Identity Theft Protection Act
*
South Carolina Data Breach Notification
*
South Dakota Medical Records Law
*
Tennessee Data Breach Notification
*
Texas Identity Theft Enforcement and Protection Act
*
Utah Protection of Personal Information Act
*
Vermont Security Breach Notice Act
*
Virginia Data Breach Notification
*
Washington Data Breach Notification
*
West Virginia Consumer Credit and Protection Act
*
Wisconsin Data Breach Notification
*
Wyoming Data Breach Notification
Alabama Information Protection
Alabama standard 681S2-00 requires that executive branch agencies, boards, and commissions shall identify Personally Identifiable Information (PII), evaluate the risk and impact of loss or unauthorized disclosure of PII, and implement PII confidentiality safeguards. The policy detects combinations of PII like social security and credit card numbers. Additional rules detect passwords. The rules for this policy are:
*
Alabama Information Protection: Account and Password
*
Alabama Information Protection: Name and CCN
*
Alabama Information Protection: Name and Password (Wide)
*
Alabama Information Protection: Name and Password (Default)
*
Alabama Information Protection: Name and Password (Narrow)
*
Alabama Information Protection: Name and SSN
*
Alabama Information Protection: Password Dissemination for HTTP Traffic (Wide)
*
Alabama Information Protection: Password Dissemination for HTTP Traffic (Default)
*
Alabama Information Protection: Password Dissemination for HTTP Traffic (Narrow)
Alaska Personal Information Protection Act
Alaska HB 65 of 2008 notifies consumers when a data breach concerning personal information has occurred. Personal information is defined to include unencrypted information on an individual, which consists of the individual's name and one or more of several other pieces of information, including social security number, driver's license number, account number, password, or other access codes. The policy detects combinations of full names with social security, driver's license, or credit card numbers. Additional rules detect passwords and account numbers. The rules for this policy are:
*
Alaska Personal Information Protection Act: Name and SSN
*
Alaska Personal Information Protection Act: Name and DL
*
Alaska Personal Information Protection Act: Name and CCN
*
Alaska Personal Information Protection Act: Name and Password (Wide)
*
Alaska Personal Information Protection Act: Name and Password (Default)
*
Alaska Personal Information Protection Act: Name and Password (Narrow)
*
Alaska Personal Information Protection Act: Password Dissemination for HTTP Traffic (Wide)
*
Alaska Personal Information Protection Act: Password Dissemination for HTTP Traffic (Default)
*
Alaska Personal Information Protection Act: Password Dissemination for HTTP Traffic (Narrow)
*
Alaska Personal Information Protection Act: Account and Password
Arizona Data Breach Notification Law
Arizona SB 1338 of 2006 requires businesses to provide consumer notification of data breaches. It is applicable to any person that conducts business in Arizona and owns or licenses computerized data that includes personal information or maintains such data. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and Arizona driver's license numbers. The rules for this policy are:
*
Arizona Data Breach Notification Law: SSN with AZ driver license
*
Arizona Data Breach Notification Law: SSN with CCN
Arkansas Personal Information Protection Act
Arkansas SB 1167 of 2005 requires organizations to protect personal information of Arkansas residents (including personal health information) and to inform Arkansas customers when their private information is disclosed during a security breach. The policy comprises rules that detect combinations of personally identifiable information with sensitive information such as protected health information, credit card numbers, or passwords. The rules for this policy are:
*
Arkansas SB 1167: Arkansas Driver License with Sensitive Disease or Drug
*
Arkansas Personal Information Protection Act: CCN with Arkansas Driver License
*
Arkansas Personal Information Protection Act: Names with Sensitive Disease or Drug (Default)
*
Arkansas Personal Information Protection Act: Names with Sensitive disease or drug (Narrow)
*
Arkansas Personal Information Protection Act: Password Dissemination for HTTP Traffic (Wide)
*
Arkansas Personal Information Protection Act: Password Dissemination for HTTP Traffic (Default)
*
Arkansas Personal Information Protection Act: Password Dissemination for HTTP Traffic (Narrow)
*
Arkansas Personal Information Protection Act: Password Dissemination for non-HTTP/S Traffic (Wide)
*
Arkansas Personal Information Protection Act: Password Dissemination for non-HTTP/S Traffic (Default)
*
Arkansas Personal Information Protection Act: Password Dissemination for non-HTTP/S Traffic (Narrow)
*
Arkansas Personal Information Protection Act: SSN with CCN
*
Arkansas Personal Information Protection Act: SSN with Sensitive Disease or Drug
California Consumer Privacy Act (CCPA)
*
The 'California Consumer Privacy Act of 2018' (CCPA) protects the personal information collected by businesses. Businesses in violation of the act shall be liable for a civil penalty. The policy detects personally identifiable information (PII), such as social security numbers, and credit card numbers. The policy also covers previous Californian privacy regulations, such as California SB 1386 of 2003, California AB 1950 of 2004 and AB-1298 of 2017.
*
The rules for this policy are:
*
California Consumer Privacy Act: California Driver License and Sensitive Disease or Drug
*
California Consumer Privacy Act: CCN (Default)
*
California Consumer Privacy Act: CCN (Narrow)
*
California Consumer Privacy Act: CCN and California Driver License Number
*
California Consumer Privacy Act: CCN and Sensitive Disease or Drug
*
California Consumer Privacy Act: Celebrity Name and Sensitive Disease or Drug
*
California Consumer Privacy Act: Celebrity Name and Common Medical Condition
*
California Consumer Privacy Act: CCN and Common Medical Condition
*
California Consumer Privacy Act: DNA Profile
*
California Consumer Privacy Act: ICD9 Code and Name
*
California Consumer Privacy Act: ICD9 Description and Name
*
California Consumer Privacy Act: ICD10 Code and Name
*
California Consumer Privacy Act: ICD10 Description and Name
*
California Consumer Privacy Act: Name and Common Medical Condition (Default)
*
California Consumer Privacy Act: Name and Common Medical Condition (Narrow)
*
California Consumer Privacy Act: Name and HICN
*
California Consumer Privacy Act: Name and Sensitive Disease or Drug (Default)
*
California Consumer Privacy Act: Name and Sensitive Disease or Drug (Narrow)
*
California Consumer Privacy Act: SSN
*
California Consumer Privacy Act: SSN and Common Medical Condition
*
California Consumer Privacy Act: SSN and Sensitive Disease or Drug
*
California Consumer Privacy Act: SSN and California Driver License Number
*
California Consumer Privacy Act: SSN and CCN
*
California Consumer Privacy Act: Name and MBI (Default)
*
California Consumer Privacy Act: Name and MBI (Wide)
Colorado Consumer Protection Act
Colorado HB 06-1119 of 2006 requires that an individual or commercial entity that conducts business in Colorado and that owns or licenses computerized data that includes personal information about a resident of Colorado shall, when it becomes aware of a breach of the security of the system, conduct in good faith a prompt investigation to determine the likelihood that personal information has been or will be misused. The individual or the commercial entity shall give notice as soon as possible to the affected Colorado residents unless the investigation determines that the misuse of information about a Colorado resident has not occurred and is not reasonably likely to occur. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
Colorado Consumer Protection Act: SSN: with Colorado driver license
*
Colorado Consumer Protection Act: SSN with CCN
*
Colorado Consumer Protection Act: Name with SSN
*
Colorado Consumer Protection Act: Name with Colorado driver license
*
Colorado Consumer Protection Act: Name with CCN
*
Colorado Consumer Protection Act: SSN with DNA profile
Connecticut Data Breach Notification Act
Connecticut SB 650 of 2006 requires that any person who conducts business in this state, and who, in the ordinary course of such person's business, owns, licenses or maintains computerized data that includes personal information, shall provide notice of any breach of security, following the discovery of the breach, to any resident of this state whose personal information was breached or is reasonably believed to have been breached. Such notice shall be made without unreasonable delay but not later than ninety days after the discovery of such breach. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
Connecticut Data Breach Notification Act: Name and SSN
*
Connecticut Data Breach Notification Act: Name and DL
*
Connecticut Data Breach Notification Act: Name and CCN
*
Connecticut Data Breach Notification Act: Name and Password (Wide)
*
Connecticut Data Breach Notification Act: Name and Password (Default)
*
Connecticut Data Breach Notification Act: Name and Password (Narrow)
*
Connecticut Data Breach Notification Act: Password Dissemination for HTTP Traffic (Wide)
*
Connecticut Data Breach Notification Act: Password Dissemination for HTTP Traffic (Default)
*
Connecticut Data Breach Notification Act: Password Dissemination for HTTP Traffic (Narrow)
*
Connecticut Data Breach Notification Act: Account and Password
Delaware Data Breach Notification
Delaware HB 116 of 2005 requires that any person who conducts business in this State and who owns, licenses, or maintains computerized data that includes personal information shall provide notice of any breach of security, following determination of the breach of security, to any resident of this state whose personal information was breached or is reasonably believed to have been breached; unless, after an appropriate investigation, the person reasonably determines that the breach of security is unlikely to result in harm to the individuals whose personal information has been breached. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
Delaware Data Breach Notification: Name and SSN
*
Delaware Data Breach Notification: Name and CCN
*
Delaware Data Breach Notification: Name and Password (Wide)
*
Delaware Data Breach Notification: Name and Password (Default)
*
Delaware Data Breach Notification: Name and Password (Narrow)
*
Delaware Data Breach Notification: Password Dissemination for HTTP Traffic (Wide)
*
Delaware Data Breach Notification: Password Dissemination for HTTP Traffic (Default)
*
Delaware Data Breach Notification: Password Dissemination for HTTP Traffic (Narrow)
*
Delaware Data Breach Notification: Account and Password
*
Delaware Data Breach Notification: Credit cards and Sensitive Disease or drug
*
Delaware Data Breach Notification: Credit Card and Common Medical Condition
District of Columbia Security Breach Notification Act
District of Columbia CB 16-810, signed into law as the Consumer Personal Information Security Breach Notification Act in 2007, requires any person or entity who conducts business in the District of Columbia, and who, in the course of such business, owns or licenses computerized or other electronic data that includes personal information, and who discovers a breach of the security of the system, shall promptly notify any District of Columbia resident whose personal information was included in the breach. The notification shall be made n the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection (d) of this section, and with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
District of Columbia Security Breach Notification Act: Name and SSN
*
District of Columbia Security Breach Notification Act: Name and DL
*
District of Columbia Security Breach Notification Act: Name and CCN
*
District of Columbia Security Breach Notification Act: Name and Password (Wide)
*
District of Columbia Security Breach Notification Act: Name and Password (Default)
*
District of Columbia Security Breach Notification Act: Name and Password (Narrow)
*
District of Columbia Security Breach Notification Act: Password Dissemination for HTTP Traffic (Wide)
*
District of Columbia Security Breach Notification Act: Password Dissemination for HTTP Traffic (Default)
*
District of Columbia Security Breach Notification Act: Password Dissemination for HTTP Traffic (Narrow)
Florida Information Protection Act
Florida SB 1524 of 2014 requires that a corporation, trust, estate, cooperative, association, or other commercial entity that acquires, maintains, stores, or uses personal information shall provide notice to the department of any breach of security affecting 500 of more individuals in this state. Such notice must be provided to the department as expeditiously as practicable, but no later than 30 days after the determination of the breach or reason to believe a breach occurred. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. Additional rules protect passwords. The rules for this policy are:
*
Florida Information Protection Act: SSN with CCN
*
Florida Information Protection Act: CCN with FL Driver License
*
Florida Information Protection Act: Password Dissemination for non-HTTP/S Traffic (Wide)
*
Florida Information Protection Act: Password Dissemination for non-HTTP/S Traffic (Default)
*
Florida Information Protection Act: Password Dissemination for non-HTTP/S Traffic (Narrow)
Georgia Personal Data Security Act
Georgia SB 230 of 2005 requires that in the vent of a breach of the security of the system, which system is maintained by a third-party agent for a covered entity, the third-party agent shall notify the covered entity of such breach as expeditiously as practicable but no later than 72 hours after the determination of such breach or reason to believe such breach has occurred. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. Additional rules detect passwords. The rules for this policy are:
*
Georgia Personal Data Security Act: SSN with CCN
*
Georgia Personal Data Security Act: CCN with GA Driver License
*
Georgia Personal Data Security Act: Password Dissemination for HTTP Traffic (Wide)
*
Georgia Personal Data Security Act: Password Dissemination for HTTP Traffic (Default)
*
Georgia Personal Data Security Act: Password Dissemination for HTTP Traffic (Narrow)
*
Georgia Personal Data Security Act: Password Dissemination for non-HTTP/S Traffic (Wide)
*
Georgia Personal Data Security Act: Password Dissemination for non-HTTP/S Traffic (Default)
*
Georgia Personal Data Security Act: Password Dissemination for non-HTTP/S Traffic (Narrow)
Hawaii Security Breach of Personal Information
Hawaii SB 2290 of 2007 requires that any business that owns or licenses personal information of residents of Hawaii, any business that conducts business in Hawaii that owns or licenses personal information in any form (whether computerized, paper, or otherwise), or any government agency that collects personal information for specific government purposes shall provide notice to the affected person that there has been a security breach, following discovery or notification of the breach. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. Additional rules detect passwords and account numbers. The rules for this policy are:
*
Hawaii Security Breach of Personal Information: Name and SSN
*
Hawaii Security Breach of Personal Information: Name and DL
*
Hawaii Security Breach of Personal Information: Name and CCN
*
Hawaii Security Breach of Personal Information: Name and Password (Wide)
*
Hawaii Security Breach of Personal Information: Name and Password (Default)
*
Hawaii Security Breach of Personal Information: Name and Password (Narrow)
*
Hawaii Security Breach of Personal Information: Password Dissemination for HTTP Traffic (Wide)
*
Hawaii Security Breach of Personal Information: Password Dissemination for HTTP Traffic (Default)
*
Hawaii Security Breach of Personal Information: Password Dissemination for HTTP Traffic (Narrow)
*
Hawaii Security Breach of Personal Information: Account and Password
Idaho Data Breach Notification
Idaho SB 1374 of 2006 requires a city, county, or stage agency, individual, or commercial entity that conducts business in Idaho and that owns or licenses computerized data that includes personal information about a resident of Idaho shall, when it becomes aware of a breach of the security of the system, conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused. If the investigation determines that the misuse of information about an Idaho resident has occurred or is reasonably likely to occur, the agency, individual, or commercial entity shall give notice as soon as possible to the affected Idaho resident. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. Additional rules detect passwords and account numbers. The rules for this policy are:
*
Idaho Data Breach Notification: Name and SSN
*
Idaho Data Breach Notification: Name and DL
*
Idaho Data Breach Notification: Name and CCN
*
Idaho Data Breach Notification: Name and Password (Wide)
*
Idaho Data Breach Notification: Name and Password (Default)
*
Idaho Data Breach Notification: Name and Password (Narrow)
*
Idaho Data Breach Notification: Password Dissemination for HTTP Traffic (Wide)
*
Idaho Data Breach Notification: Password Dissemination for HTTP Traffic (Default)
*
Idaho Data Breach Notification: Password Dissemination for HTTP Traffic (Narrow)
*
Idaho Data Breach Notification: Account and Password
Illinois Personal Information Protection Act
Illinois HB 1633 of 2006 requires data collectors to provide notification of a security breach after discovery, even if data has not been accessed by unauthorized persons. This state law affects all data collectors that own or license personal information (PI), or maintains computerized data that includes PI. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, state ID, and driver's license numbers. Additional rules detect passwords. The rules for this policy are:
*
Illinois Personal Information Protection Act: SSN with CCN
*
Illinois Personal Information Protection Act: CCN with Illinois Driver License
*
Illinois Personal Information Protection Act: CCN with Illinois State ID
*
Illinois Personal Information Protection Act: Password Dissemination for HTTP Traffic (Wide)
*
Illinois Personal Information Protection Act: Password Dissemination for HTTP Traffic (Default)
*
Illinois Personal Information Protection Act: Password Dissemination for HTTP Traffic (Narrow)
*
Illinois Personal Information Protection Act: Password Dissemination for non-HTTP/S Traffic (Wide)
*
Illinois Personal Information Protection Act: Password Dissemination for non-HTTP/S Traffic (Default)
*
Illinois Personal Information Protection Act: Password Dissemination for non-HTTP/S Traffic (Narrow)
Indiana Disclosure of Security Breach law
Indiana SB 503 of 2006 requires that after discovering or being notified of a breach of the security of data, database owners shall disclose the breach to an Indiana resident whose: (1) unencrypted personal information was or may have been acquired by an unauthorized person; or (2) encrypted personal information was or may have been acquired by an unauthorized person with access to the encryption key; if the database owners know, should know, or should have known that the unauthorized acquisition constituting the breach has resulted in or could result in identity deception, identity theft, or fraud affecting the Indiana resident. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
Indiana Disclosure of Security Breach law: Name and SSN
*
Indiana Disclosure of Security Breach law: Name and DL
*
Indiana Disclosure of Security Breach law: Name and CCN
*
Indiana Disclosure of Security Breach law: Name and Password (Wide)
*
Indiana Disclosure of Security Breach law: Name and Password (Default)
*
Indiana Disclosure of Security Breach law: Name and Password (Narrow)
*
Indiana Disclosure of Security Breach law: Password Dissemination for HTTP Traffic (Wide)
*
Indiana Disclosure of Security Breach law: Password Dissemination for HTTP Traffic (Default)
*
Indiana Disclosure of Security Breach law: Password Dissemination for HTTP Traffic (Narrow)
*
Indiana Disclosure of Security Breach law: Account and Password
Iowa Data Breach Notification Law
Iowa S.F. 2308 of 2008 requires that any person who owns or licenses computerized data that includes a consumer's personal information that is used in the course of the person's business, vocation, occupation, or volunteer activities and that was subject to a breach of security shall give notice of the breach of security, following discovery of such breach of security, to any consumer whose personal information was included in the information that was breached. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
Iowa Data Breach Notification Law: Name and SSN
*
Iowa Data Breach Notification Law: Name and DL
*
Iowa Data Breach Notification Law: Name and CCN
*
Iowa Data Breach Notification Law: Name and Password (Wide)
*
Iowa Data Breach Notification Law: Name and Password (Default)
*
Iowa Data Breach Notification Law: Name and Password (Narrow)
*
Iowa Data Breach Notification Law: Password Dissemination for HTTP Traffic (Wide)
*
Iowa Data Breach Notification Law: Password Dissemination for HTTP Traffic (Default)
*
Iowa Data Breach Notification Law: Password Dissemination for HTTP Traffic (Narrow)
*
Iowa Data Breach Notification Law: DNA profile
Kansas Protection of Consumer Information
Kansas SB 196 requires that a person that conducts business in this state, or a government, governmental subdivision, or agency that owns or licenses computerized data that includes personal information shall, when it becomes aware of any breach of the security of the system, conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused. If the investigation determines that the misuse of information has occurred or is reasonably likely to occur, the person or government, governmental subdivision, or agency shall give notice as soon as possible to the affected Kansas resident. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
Kansas Protection of Consumer Information: Name and SSN
*
Kansas Protection of Consumer Information: Name and DL
*
Kansas Protection of Consumer Information: Name and CCN
*
Kansas Protection of Consumer Information: Name and Password (Wide)
*
Kansas Protection of Consumer Information: Name and Password (Default)
*
Kansas Protection of Consumer Information: Name and Password (Narrow)
*
Kansas Protection of Consumer Information: Password Dissemination for HTTP Traffic (Wide)
*
Kansas Protection of Consumer Information: Password Dissemination for HTTP Traffic (Default)
*
Kansas Protection of Consumer Information: Password Dissemination for HTTP Traffic (Narrow)
*
Kansas Protection of Consumer Information: Account and Password
Kentucky Data Breach Notification
Kentucky HB 232, signed into law in 2014, requires any person or business entity that conducts business in Kentucky to provide notification in case of an unauthorized acquisition of unencrypted, unredacted computerized data that compromises the security, confidentiality, or integrity of personally identifiable information (PII) maintained by the information holder as part of a database regarding multiple individuals that causes or leads the information holder to believe has caused or will cause identity theft or fraud against a Kentucky resident. Upon notification or discovery of a breach of the security of the system, an information holder must notify any resident of Kentucky whose unencrypted information was or is reasonably believed to have been acquired by an unauthorized person. It is applicable to any person that conducts business in the state and owns or licenses computerized data or maintains such data. The policy detects combinations of PII like social security, credit card, and driver's license numbers. The rules for this policy are:
*
Kentucky Data Breach Notification: Account and Password
*
Kentucky Data Breach Notification: Name and CCN
*
Kentucky Data Breach Notification: Name and Password (Wide)
*
Kentucky Data Breach Notification: Name and Password (Default)
*
Kentucky Data Breach Notification: Name and Password (Narrow)
*
Kentucky Data Breach Notification: Name and SSN
*
Kentucky Data Breach Notification: Password Dissemination for HTTP Traffic (Wide)
*
Kentucky Data Breach Notification: Password Dissemination for HTTP Traffic (Default)
*
Kentucky Data Breach Notification: Password Dissemination for HTTP Traffic (Narrow)
Louisiana Data Breach Notification
Louisiana SB 205 of 2006 demands notification to any Louisiana resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person as a result of a security breach. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
Louisiana Data Breach Notification: Name and SSN
*
Louisiana Data Breach Notification: Name and DL
*
Louisiana Data Breach Notification: Name and CCN
*
Louisiana Data Breach Notification: Name and Password (Wide)
*
Louisiana Data Breach Notification: Name and Password (Default)
*
Louisiana Data Breach Notification: Name and Password (Narrow)
*
Louisiana Data Breach Notification: Password Dissemination for HTTP Traffic (Wide)
*
Louisiana Data Breach Notification: Password Dissemination for HTTP Traffic (Default)
*
Louisiana Data Breach Notification: Password Dissemination for HTTP Traffic (Narrow)
*
Louisiana Data Breach Notification: Account and Password
Maine Data Breach Notification Law
Maine LD 1671 of 2006 requires that an information broker that maintains computerized data that includes personal information that becomes aware of a breach of the security of the system shall conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused, and shall give notice of a breach of the security of the system, following discovery or notification of the security breach, to a resident of this state whose personal information has been, or is reasonably believed to have been, acquired by an unauthorized person. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
Maine Data Breach Notification Law: Name and SSN
*
Maine Data Breach Notification Law: Name and DL
*
Maine Data Breach Notification Law: Name and CCN
*
Maine Data Breach Notification Law: Name and Password (Wide)
*
Maine Data Breach Notification Law: Name and Password (Default)
*
Maine Data Breach Notification Law: (Narrow)
*
Maine Data Breach Notification Law: Password Dissemination for HTTP Traffic (Wide)
*
Maine Data Breach Notification Law: Password Dissemination for HTTP Traffic (Default)
*
Maine Data Breach Notification Law: Password Dissemination for HTTP Traffic (Narrow)
*
Maine Data Breach Notification Law: Account and Password
Maryland Personal Information Protection Act
Maryland HB 208 of 2008 requires that a business that owns or licenses computerized data that includes personal information of an individual residing in the state, when it discovers or is notified of a breach of the security of a system, shall conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information of the individual has been or will be misused as a result of the breach. It is applicable to any person that conducts business in the state and owns or licenses computerized data or maintains such data. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
Maryland Personal Information Protection Act: Name and SSN
*
Maryland Personal Information Protection Act: Name and DL
*
Maryland Personal Information Protection Act: Name and CCN
*
Maryland Personal Information Protection Act: Name and Password (Wide)
*
Maryland Personal Information Protection Act: Name and Password (Default)
*
Maryland Personal Information Protection Act: Name and Password (Narrow)
*
Maryland Personal Information Protection Act: Password Dissemination for HTTP Traffic (Wide)
*
Maryland Personal Information Protection Act: Password Dissemination for HTTP Traffic (Default)
*
Maryland Personal Information Protection Act: Password Dissemination for HTTP Traffic (Narrow)
*
Maryland Personal Information Protection Act: Account and Password
Massachusetts Protection of Personal Information
Massachusetts 201 CMR 17 requires that every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to (a) the size, scope, and type of business of the person obligated to safeguard the personal information under such comprehensive information security program; (b) the amount of resources available to such person; (c) the amount of stored data; and (d) the need for security and confidentiality of both consumer and employee information. The safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns or licenses such information may be regulated. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
Massachusetts Protection of Personal Information: Name and SSN
*
Massachusetts Protection of Personal Information: Name and SSN (Wide)
*
Massachusetts Protection of Personal Information: Name and DL
*
Massachusetts Protection of Personal Information: Name and DL (Wide)
*
Massachusetts Protection of Personal Information: Name and CCN
*
Massachusetts Protection of Personal Information: Name and CCN (Wide)
*
Massachusetts Protection of Personal Information: Name and ID
*
Massachusetts Protection of Personal Information: Name and Password (Wide)
*
Massachusetts Protection of Personal Information: Name and Password (Default)
*
Massachusetts Protection of Personal Information: Name and Password (Narrow)
*
Massachusetts Protection of Personal Information: Name with Account and Password
*
Massachusetts Protection of Personal Information: Account and Password
*
Massachusetts Protection of Personal Information: Password Dissemination for HTTP Traffic (Wide)
*
Massachusetts Protection of Personal Information: Password Dissemination for HTTP Traffic (Default)
*
Massachusetts Protection of Personal Information: Password Dissemination for HTTP Traffic (Narrow)
Michigan Identity Theft Protection Act
Michigan HB 4658 of 2007 requires, unless the person or agency determines that the security breach has not or is not likely to cause substantial loss or injury to, or result in identity theft with respect to, one ore more residents of this state, a person or agency that owns or licenses data that are included in a database that discovers a security breach, or receives notice of a security breach, shall provide a notice of the security breach to each resident of this state. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
Michigan Identity Theft Protection Act: SSN
*
Michigan Identity Theft Protection Act: SSN with CCN
*
Michigan Identity Theft Protection Act: SSN with Michigan DL
*
Michigan Identity Theft Protection Act: SSN with Account Number
*
Michigan Identity Theft Protection Act: SSN with PIN Number
*
Michigan Identity Theft Protection Act: SSN and Password (Wide)
*
Michigan Identity Theft Protection Act: SSN and Password (Default)
*
Michigan Identity Theft Protection Act: SSN and Password (Narrow)
*
Michigan Identity Theft Protection Act: SSN with DNA profile
Minnesota Data Breach Notification
Minnesota HF 2121 of 2006 requires that any person or business that conducts business in this state, and that owns or licenses data that includes personal information, shall disclose any breach of the security of the system, following discovery or notification of the breach in the security of the data, to any resident of this state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in paragraph (c), or with any measures necessary to determine the scope of the breach, identify the individuals affected, and restore the reasonable integrity of the data system. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
Minnesota Data Breach Notification: Name with CCN
*
Minnesota Data Breach Notification: Name with Minnesota driver license
*
Minnesota Data Breach Notification: Name with SSN
*
Minnesota Data Breach Notification: SSN with CCN
*
Minnesota Data Breach Notification: SSN with DNA profile
*
Minnesota Data Breach Notification: SSN with MN driver license
Mississippi Data Breach Notification
Mississippi HB 583 of 2010 requires that consumers are notified promptly if the security of their information has been compromised, and gives the public the right to freeze their credit files if they become a victim of identity theft. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
Mississippi Data Breach Notification: Account and Password
*
Mississippi Data Breach Notification: Name and CCN
*
Mississippi Data Breach Notification: Name and Password (Wide)
*
Mississippi Data Breach Notification: Name and Password (Default)
*
Mississippi Data Breach Notification: Name and Password (Narrow)
*
Mississippi Data Breach Notification: Name and SSN
*
Mississippi Data Breach Notification: Password Dissemination for HTTP Traffic (Wide)
*
Mississippi Data Breach Notification: Password Dissemination for HTTP Traffic (Default)
*
Mississippi Data Breach Notification: Password Dissemination for HTTP Traffic (Narrow)
Missouri Breach Notification Law
Missouri HB 62 of 2009 requires that any person that owns or licenses personal information of residents of Missouri or any person that conducts business in Missouri that owns or licenses personal information in any form of a resident of Missouri shall provide notice to the affected consumer that there has been a breach of security, following discovery or notification of the breach. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
Missouri Breach Notification Law: Name and SSN
*
Missouri Breach Notification Law: Name and DL
*
Missouri Breach Notification Law: Name and CCN
*
Missouri Breach Notification Law: Name and Password (Wide)
*
Missouri Breach Notification Law: Name and Password (Default)
*
Missouri Breach Notification Law: Name and Password (Narrow)
*
Missouri Breach Notification Law: Password Dissemination for HTTP Traffic (Wide)
*
Missouri Breach Notification Law: Password Dissemination for HTTP Traffic (Default)
*
Missouri Breach Notification Law: Password Dissemination for HTTP Traffic (Narrow)
*
Missouri Breach Notification Law: Account and Password
*
Missouri Breach Notification Law: ICD10 Descriptions and US full names
*
Missouri Breach Notification Law: Name and Sensitive Disease or drug
Montana Data Breach Notification Statute
Montana HB 732 of 2005 requires that any person or business that conducts business in Montana and that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the data system, following discovery or notification of the breach, to any resident of Montana whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
Montana Data Breach Notification Statute: Name and SSN
*
Montana Data Breach Notification Statute: Name and DL
*
Montana Data Breach Notification Statute: Name and CCN
*
Montana Data Breach Notification Statute: Name and Password (Wide)
*
Montana Data Breach Notification Statute: Name and Password (Default)
*
Montana Data Breach Notification Statute: Name and Password (Narrow)
*
Montana Data Breach Notification Statute: Password Dissemination for HTTP Traffic (Wide)
*
Montana Data Breach Notification Statute: Password Dissemination for HTTP Traffic (Default)
*
Montana Data Breach Notification Statute: Password Dissemination for HTTP Traffic (Narrow)
*
Montana Data Breach Notification Statute: Account and Password
Nebraska Notification of Data Security Breach Act
Nebraska LB 876, which was signed into law on April 13, 2006, requires that an individual or a commercial entity that conducts business in Nebraska and that owns or licenses computerized data that includes personal information about a resident of Nebraska shall, when it becomes aware of a breach of the security of the system, conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be used for an unauthorized purpose. If the investigation determines that the use of information about a Nebraska resident for an unauthorized purpose has occurred or is reasonably likely to occur, the individual or commercial entity shall give notice to the affected Nebraska resident. Notice shall be made as soon as possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
Nebraska Notification of Data Security Breach Act: Account and Password
*
Nebraska Notification of Data Security Breach Act: Name and CCN
*
Nebraska Notification of Data Security Breach Act: Name and Password (Wide)
*
Nebraska Notification of Data Security Breach Act: Name and Password (Default)
*
Nebraska Notification of Data Security Breach Act: Name and Password (Narrow)
*
Nebraska Notification of Data Security Breach Act: Name and SSN
*
Nebraska Notification of Data Security Breach Act: Password Dissemination for HTTP Traffic (Wide)
*
Nebraska Notification of Data Security Breach Act: Password Dissemination for HTTP Traffic (Default)
*
Nebraska Notification of Data Security Breach Act: Password Dissemination for HTTP Traffic (Narrow)
Nevada Security of Personal Information
Nevada SB SB 347 of 2006 requires that data collectors that maintain records that contain personal information of a resident of this state shall implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
Nevada Security of Personal Information: Name and SSN
*
Nevada Security of Personal Information: Name and SSN (Wide)
*
Nevada Security of Personal Information: Name and DL
*
Nevada Security of Personal Information: Name and DL (Wide)
*
Nevada Security of Personal Information: Name and CCN
*
Nevada Security of Personal Information: Name and CCN (Wide)
*
Nevada Security of Personal Information: Name and ID
*
Nevada Security of Personal Information: Name and Password (Wide)
*
Nevada Security of Personal Information: Name and Password (Default)
*
Nevada Security of Personal Information: Name and Password (Narrow)
*
Nevada Security of Personal Information: Name with Account and Password
*
Nevada Security of Personal Information: Account and Password
*
Nevada Security of Personal Information: Password Dissemination for HTTP Traffic (Wide)
*
Nevada Security of Personal Information: Password Dissemination for HTTP Traffic (Default)
*
Nevada Security of Personal Information: Password Dissemination for HTTP Traffic (Narrow)
New Hampshire Notice of Security Breach
New Hampshire HB 1660 of 2007 requires businesses who own or license computerized data that includes personal information shall, when they become aware of a security breach, promptly determine the likelihood that the information has been or will be misused. If the determination is that misuse of the information has occurred or is reasonably likely to occur, or if a determination cannot be made, businesses shall notify the affected individuals as soon as possible. Personal information is considered the customer's full name in combination with any of the following: social security number, driver's license number, or financial account information. The policy detects a combination of full names with social security, driver's license, or credit card numbers. Additional rules detect passwords and account numbers. The rules for this policy are:
*
New Hampshire Notice of Security Breach: Name and SSN
*
New Hampshire Notice of Security Breach: Name and DL
*
New Hampshire Notice of Security Breach: Name and CCN
*
New Hampshire Notice of Security Breach: Name and Password (Wide)
*
New Hampshire Notice of Security Breach: Name and Password (Default)
*
New Hampshire Notice of Security Breach: Name and Password (Narrow)
*
New Hampshire Notice of Security Breach: Password Dissemination for HTTP Traffic (Wide)
*
New Hampshire Notice of Security Breach: Password Dissemination for HTTP Traffic (Default)
*
New Hampshire Notice of Security Breach: Password Dissemination for HTTP Traffic (Narrow)
*
New Hampshire Notice of Security Breach: Account and Password
New Jersey Personal Information and Privacy Protection Act
New Jersey A 4001 requires that any business or public entity required under this section to disclose a breach of security of a customer's personal information shall, in advance of the disclosure to the customer, report the breach of security and any information pertaining to the breach to the Division of State Police in the Department of Law and Public Safety for investigation or handling, which may include dissemination or referral to other appropriate law enforcement entities. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
New Jersey Personal Information and Privacy Protection Act: SSN with CCN
*
New Jersey Personal Information and Privacy Protection Act: CCN with NJ Driver License
*
New Jersey Personal Information and Privacy Protection Act: Password Dissemination for HTTP Traffic (Wide)
*
New Jersey Personal Information and Privacy Protection Act: Password Dissemination for HTTP Traffic (Default)
*
New Jersey Personal Information and Privacy Protection Act: Password Dissemination for HTTP Traffic (Narrow)
*
New Jersey Personal Information and Privacy Protection Act: Password Dissemination for non-HTTP/S Traffic (Wide)
*
New Jersey Personal Information and Privacy Protection Act: Password Dissemination for non-HTTP/S Traffic (Default)
*
New Jersey Personal Information and Privacy Protection Act: Password Dissemination for non-HTTP/S Traffic (Narrow)
New Mexico Data Breach Notification Act
New Mexico HB 15 of 2017 requires that any person that is licensed to maintain or possess computerized data containing personal identifying information of a New Mexico resident that the person does not own or license shall notify the owner or licensee of the information of any security breach in the most expedient time possible. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
New Mexico Data Breach Notification Act: Account and Password
*
New Mexico Data Breach Notification Act: DNA profile
*
New Mexico Data Breach Notification Act: Name and CCN
*
New Mexico Data Breach Notification Act: Name and Password (Wide)
*
New Mexico Data Breach Notification Act: Name and Password (Default)
*
New Mexico Data Breach Notification Act: Name and Password (Narrow)
*
New Mexico Data Breach Notification Act: Name and SSN
*
New Mexico Data Breach Notification Act: Password Dissemination for HTTP Traffic (Wide)
*
New Mexico Data Breach Notification Act: Password Dissemination for HTTP Traffic (Default)
*
New Mexico Data Breach Notification Act: Password Dissemination for HTTP Traffic (Narrow)
New York Data Security Act
New York A 4254 of 2005 provides that in the event of unauthorized access to "private information," defined as personal information in combination with a social security number, driver's license, or an account or credit card number, the business or state entity is required to notify affected customers and inform appropriate authorities. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
New York Data Security Act: SSN: with NY driver license
*
New York Data Security Act: SSN with CCN
*
New York Data Security Act: Name with SSN
*
New York Data Security Act: Name with New-York driver license
*
New York Data Security Act: Name with CCN
*
New York Data Security Act: SSN with DNA profile
North Carolina Identity Theft Protection Act
North Carolina SB 1048 of 2005 requires that any business that owns or licenses personal information of residents of North Carolina or any business that conducts business in North Carolina that owns or licenses personal information in any form (whether computerized, paper, or otherwise) shall provide notice to the affected person that there has been a security breach, following discovery or notification of the breach. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
North Carolina Identity Theft Protection Act: Name and SSN
*
North Carolina Identity Theft Protection Act: Name and DL
*
North Carolina Identity Theft Protection Act: Name and CCN
North Dakota Data Breach Notification
North Dakota Data Breach Notification, amended in 2017 by HB 1088, requires any person that owns or licenses computerized data that includes personal information, to disclose any breach of the security system, following discovery or notification of the breach in the security of the data, to any resident of the state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
North Dakota Data Breach Notification: Account and Password
*
North Dakota Data Breach Notification: Name and CCN
*
North Dakota Data Breach Notification: Name and Password (Wide)
*
North Dakota Data Breach Notification: Name and Password (Default)
*
North Dakota Data Breach Notification: Name and Password (Narrow)
*
North Dakota Data Breach Notification: Name and SSN
*
North Dakota Data Breach Notification: Password Dissemination for HTTP Traffic (Wide)
*
North Dakota Data Breach Notification: Password Dissemination for HTTP Traffic (Default)
*
North Dakota Data Breach Notification: Password Dissemination for HTTP Traffic (Narrow)
Ohio Data Security Breach Notification Law
Ohio HB 104 of 2005 requires that any person that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system, following its discovery or notification of the breach of the security of the system, to any resident of this state whose personal information was, or reasonably is believed to have been, accessed and acquired by an unauthorized person if the access and acquisition by the unauthorized person causes, or is reasonably believed will cause, a material risk of identity theft or other fraud to the resident. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
Ohio Data Security Breach Notification Law: Name and SSN
*
Ohio Data Security Breach Notification Law: Name and DL
*
Ohio Data Security Breach Notification Law: Name and CCN
*
Ohio Data Security Breach Notification Law: Name and Password (Wide)
*
Ohio Data Security Breach Notification Law: Name and Password (Default)
*
Ohio Data Security Breach Notification Law: Name and Password (Narrow)
*
Ohio Data Security Breach Notification Law: Password Dissemination for HTTP Traffic (Wide)
*
Ohio Data Security Breach Notification Law: Password Dissemination for HTTP Traffic (Default)
*
Ohio Data Security Breach Notification Law: Password Dissemination for HTTP Traffic (Narrow)
Oklahoma Security Breach Notification Act
Oklahoma HB 2357 of 2006 requires that if you maintain, as part of a database, a consumer's name and other personal identification numbers (i.e., SSN, driver's license, credit card, or financial information with a personal security code) that such information must be encrypted or redacted so that in the event of a breach, such information cannot be obtained and used by a third party. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
Oklahoma Security Breach Notification Act: Name and SSN
*
Oklahoma Security Breach Notification Act: Name and DL
*
Oklahoma Security Breach Notification Act: Name and CCN
*
Oklahoma Security Breach Notification Act: Name and Password (Wide)
*
Oklahoma Security Breach Notification Act: Name and Password (Default)
*
Oklahoma Security Breach Notification Act: Name and Password (Narrow)
*
Oklahoma Security Breach Notification Act: Password Dissemination for HTTP Traffic (Wide)
*
Oklahoma Security Breach Notification Act: Password Dissemination for HTTP Traffic (Default)
*
Oklahoma Security Breach Notification Act: Password Dissemination for HTTP Traffic (Narrow)
*
Oklahoma Security Breach Notification Act: Account and Password
Oregon Consumer Identity Theft Protection Act
Oregon SB 583 of 2007 requires that a person that owns or licenses personal information that the person uses in the course of the person's business, vocation, occupation, or volunteer activities and that was subject to a breach of security shall give notice of the breach of security to a) the consumer to whom the personal information pertains; b) the Attorney General, either in writing or electronically, if the number of consumers to whom the person must send the notice exceeds 250. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. Additional rules detect passwords and account numbers.The rules for this policy are:
*
Oregon Consumer Identity Theft Protection Act: Name and SSN
*
Oregon Consumer Identity Theft Protection Act: Name and DL
*
Oregon Consumer Identity Theft Protection Act: Name and CCN
*
Oregon Consumer Identity Theft Protection Act: Name and Password (Wide)
*
Oregon Consumer Identity Theft Protection Act: Name and Password (Default)
*
Oregon Consumer Identity Theft Protection Act: Name and Password (Narrow)
*
Oregon Consumer Identity Theft Protection Act: Password Dissemination for HTTP Traffic (Wide)
*
Oregon Consumer Identity Theft Protection Act: Password Dissemination for HTTP Traffic (Default)
*
Oregon Consumer Identity Theft Protection Act: Password Dissemination for HTTP Traffic (Narrow)
*
Oregon Consumer Identity Theft Protection Act: Account and Password
Pennsylvania Breach of Personal Information Notification Act
Pennsylvania SBG 712 of 2006 requires that an entity that maintains, stores, or manages computerized data that includes personal information shall provide notice of any breach of the security of the system, following discovery of the breach of the security of the system, to any resident of this Commonwealth whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
Pennsylvania Breach of Personal Information Act: Name and SSN
*
Pennsylvania Breach of Personal Information Act: Name and DL
*
Pennsylvania Breach of Personal Information Act: Name and CCN
*
Pennsylvania Breach of Personal Information Act: Name and Password (Wide)
*
Pennsylvania Breach of Personal Information Act: Name and Password (Default)
*
Pennsylvania Breach of Personal Information Act: Name and Password (Narrow)
*
Pennsylvania Breach of Personal Information Act: Account and Password
*
Pennsylvania Breach of Personal Information Act: Password Dissemination for HTTP Traffic (Wide)
*
Pennsylvania Breach of Personal Information Act: Password Dissemination for HTTP Traffic (Default)
*
Pennsylvania Breach of Personal Information Act: Password Dissemination for HTTP Traffic (Narrow)
Puerto Rico Data Breach Notification
The Puerto Rico Citizen Information of Data Banks Security Act, originally HB 1184, signed into law in 2005, requires that any entity that is the proprietor or custodian of a data bank for commercial use that includes personal information of citizens who reside in Puerto Rico must notify said citizens of any violation of the system's security when the data bank whose security has been violated contains all or part of the personal information file and the same is not protected by a cryptographic code, but only by a password. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
Puerto Rico Data Breach Notification: Account and Password
*
Puerto Rico Data Breach Notification: Name and CCN
*
Puerto Rico Data Breach Notification: Name and Password (Wide)
*
Puerto Rico Data Breach Notification: Name and Password (Default)
*
Puerto Rico Data Breach Notification: Name and Password (Narrow)
*
Puerto Rico Data Breach Notification: Name and SSN
*
Puerto Rico Data Breach Notification: Password Dissemination for HTTP Traffic (Wide)
*
Puerto Rico Data Breach Notification: Password Dissemination for HTTP Traffic (Default)
*
Puerto Rico Data Breach Notification: Password Dissemination for HTTP Traffic (Narrow)
Rhode Island Identity Theft Protection Act
Rhode Island HB 6191 of 2006 requires that any municipal agency, state agency, or person that stores, owns, collects, processes, maintains, acquires, uses, or licenses data that includes personal information shall provide notification as set forth in this section of any disclosure of personal information, or any breach of the security of the system, that poses a significant risk of identity theft to any resident of Rhode Island whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person or entity. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
Rhode Island Identity Theft Protection Act: Name and SSN
*
Rhode Island Identity Theft Protection Act: Name and DL
*
Rhode Island Identity Theft Protection Act: Name and CCN
*
Rhode Island Identity Theft Protection Act: Name and Password (Wide)
*
Rhode Island Identity Theft Protection Act: Name and Password (Default)
*
Rhode Island Identity Theft Protection Act: Name and Password (Narrow)
*
Rhode Island Identity Theft Protection Act: Password Dissemination for HTTP Traffic (Wide)
*
Rhode Island Identity Theft Protection Act: Password Dissemination for HTTP Traffic (Default)
*
Rhode Island Identity Theft Protection Act: Password Dissemination for HTTP Traffic (Narrow)
*
Rhode Island Identity Theft Protection Act: Account and Password
South Carolina Data Breach Notification
South Carolina SB 453 of 2008 requires that a person conducting business in this state, and owning or licensing computerized data or other data that includes personal identifying information, shall disclose a breach of the security of the system, following discovery or notification of the breach in the security of the data, to a resident of this State whose personal identifying information that was not rendered unusable through encryption, redaction, or other methods was, or is reasonably believed to have been, acquired by an unauthorized person when the illegal use of the information has occurred or is reasonably likely to occur, or use of the information creates a material risk of harm to the resident. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection (C), or with measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
South Carolina Data Breach Notification: Account and Password
*
South Carolina Data Breach Notification: Name and CCN
*
South Carolina Data Breach Notification: Name and Password (Wide)
*
South Carolina Data Breach Notification: Name and Password (Default)
*
South Carolina Data Breach Notification: Name and Password (Narrow)
*
South Carolina Data Breach Notification: Name and SSN
*
South Carolina Data Breach Notification: Password Dissemination for HTTP Traffic (Wide)
*
South Carolina Data Breach Notification: Password Dissemination for HTTP Traffic (Default)
*
South Carolina Data Breach Notification: Password Dissemination for HTTP Traffic (Narrow)
South Dakota Medical Records Law
Section 44:73:09:03 of the Administrative Rules of South Dakota requires there shall be written policies and procedures to govern the administration and activities of the medical record service. They shall include policies and procedures pertaining to the confidentiality and safeguarding of medical records, the record content, continuity of a resident's medical records during subsequent admissions, requirements for completion of the record, and the entries to be made by various authorized personnel. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
South Dakota Medical Records Law: ICD9 Code and Name
*
South Dakota Medical Records Law: ICD9 Description and Name
*
South Dakota Medical Records Law: ICD10 Code and Name
*
South Dakota Medical Records Law: ICD10 Description and Name
*
South Dakota Medical Records Law: Name and Common Medical Condition
*
South Dakota Medical Records Law: Name and HICN
*
South Dakota Medical Records Law: Name and MBI (Default)
*
South Dakota Medical Records Law: Name and MBI (Wide)
*
South Dakota Medical Records Law: Name and Sensitive Disease or Drug
*
South Dakota Medical Records Law: Name and SSN
Tennessee Data Breach Notification
Tennessee HB 2170 of 2005 requires that any information holder shall disclose any breach of the security of the system, following discovery or notification of the breach in the security of the data, to any resident of Tennessee whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection (d), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
Tennessee Data Breach Notification: Name and SSN
*
Tennessee Data Breach Notification: Name and DL
*
Tennessee Data Breach Notification: Name and CCN
*
Tennessee Data Breach Notification: Name and Password (Wide)
*
Tennessee Data Breach Notification: (Default)
*
Tennessee Data Breach Notification: (Narrow)
*
Tennessee Data Breach Notification: Password Dissemination for HTTP Traffic (Wide)
*
Tennessee Data Breach Notification: Password Dissemination for HTTP Traffic (Default)
*
Tennessee Data Breach Notification: Password Dissemination for HTTP Traffic (Narrow)
*
Tennessee Data Breach Notification: Account and Password
Texas Identity Theft Enforcement and Protection Act
Texas SB 122 of 2005 requires businesses to implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect from unlawful use or disclosure of any sensitive personal information collected or maintained by the business in the regular course of business. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
Texas Identity Theft Enforcement and Protection Act: SSN: with Texas driver license
*
Texas Identity Theft Enforcement and Protection Act: SSN with CCN
*
Texas Identity Theft Enforcement and Protection Act: Name with SSN
*
Texas Identity Theft Enforcement and Protection Act: Name with Texas driver license
*
Texas Identity Theft Enforcement and Protection Act: Name with CCN
*
Texas Identity Theft Enforcement and Protection Act: SSN with DNA profile
Utah Protection of Personal Information Act
Utah SB 69 of 2007 requires that 1) any person who conducts business in the state and maintains personal information shall implement and maintain reasonable procedures to prevent unlawful use or disclosure of personal information collected or maintained in the regular course of business. 2) a person who owns or licenses computerized data that includes personal information concerning a Utah resident shall, when the person becomes aware of a breach of system security, conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused for identity theft or fraud purposes. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
Utah Protection of Personal Information Act: SSN with CCN
*
Utah Protection of Personal Information Act: CCN with Utah Driver License
*
Utah Protection of Personal Information Act: SSN and Account number and Password
*
Utah Protection of Personal Information Act: Password Dissemination for HTTP Traffic (Wide)
*
Utah Protection of Personal Information Act: Password Dissemination for HTTP Traffic (Default)
*
Utah Protection of Personal Information Act: Password Dissemination for HTTP Traffic (Narrow
*
Utah Protection of Personal Information Act: Password Dissemination for non-HTTP/S Traffic (Wide)
*
Utah Protection of Personal Information Act: Password Dissemination for non-HTTP/S Traffic (Default)
*
Utah Protection of Personal Information Act: Password Dissemination for non-HTTP/S Traffic (Narrow)
Vermont Security Breach Notice Act
Vermont S 284 of 2007 requires any data collector that owns or licenses computerized personally identifiable information that includes personal information concerning a consumer shall notify the consumer that there has been a security breach following discovery or notification to the data collector of the breach. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
Vermont Security Breach Notice Act: Account and Password
*
Vermont Security Breach Notice Act: Name and CCN
*
Vermont Security Breach Notice Act: Name and Password (Wide)
*
Vermont Security Breach Notice Act: Name and Password (Default)
*
Vermont Security Breach Notice Act: Name and Password (Narrow)
*
Vermont Security Breach Notice Act: Name and SSN
*
Vermont Security Breach Notice Act: Password Dissemination for HTTP Traffic (Wide)
*
Vermont Security Breach Notice Act: Password Dissemination for HTTP Traffic (Default)
*
Vermont Security Breach Notice Act: Password Dissemination for HTTP Traffic (Narrow)
Virginia Data Breach Notification
Virginia SB 307 of 2008 requires that an individual or entity that maintains computerized data that includes personal information that the individual or entity does not own or license shall notify the owner or licensee with information about any breach of the security of the system without unreasonable delay following discovery of the breach of the security of the system, if the personal information was accessed and acquired by an unauthorized person or the individual or entity reasonable believes the personal information was accessed and acquired by an unauthorized person. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
Virginia Data Breach Notification: Name and SSN
*
Virginia Data Breach Notification: Name and DL
*
Virginia Data Breach Notification: Name and CCN
Washington Data Breach Notification
Washington SB 6043 requires any person or entity who conducts business in the state, and who, in the course of such business, owns or licenses computerized or other electronic data that includes personal information, and who discovers a breach of the security of the system, shall promptly notify any resident whose personal information was included in the breach. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
Washington Data Breach Notification: SSN: with WA driver license
*
Washington Data Breach Notification: SSN with CCN
*
Washington Data Breach Notification: Name with SSN
*
Washington Data Breach Notification: Name with Washington driver license
*
Washington Data Breach Notification: Name with CCN
*
Washington Data Breach Notification: SSN with DNA profile
West Virginia Consumer Credit and Protection Act
West Virginia SB 340 of 2008 requires that an individual or entity that owns or licenses computerized data that includes personal information shall give notice of any breach of the security of the system, following discovery or notification of the breach of the security of the system, to any resident of this state whose unencrypted and unredacted personal information was, or is reasonably believed to have been, accessed and acquired by an unauthorized person and that causes, or the individual or entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of this state. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
West Virginia Consumer Credit and Protection Act: Account and Password
*
West Virginia Consumer Credit and Protection Act: Name and CCN
*
West Virginia Consumer Credit and Protection Act: Name and Password (Wide)
*
West Virginia Consumer Credit and Protection Act: Name and Password (Default)
*
West Virginia Consumer Credit and Protection Act: Name and Password (Narrow)
*
West Virginia Consumer Credit and Protection Act: Name and SSN
*
West Virginia Consumer Credit and Protection Act: Password Dissemination for HTTP Traffic (Wide)
*
West Virginia Consumer Credit and Protection Act: Password Dissemination for HTTP Traffic (Default)
*
West Virginia Consumer Credit and Protection Act: Password Dissemination for HTTP Traffic (Narrow)
Wisconsin Data Breach Notification
Wisconsin SB 164, signed into law in 2006 as Wisconsin Notice of Unauthorized Acquisition of Personal Information, states that if an entity whose principal place of business is located in this state or an entity that maintains or licenses personal information in this state knows that personal information in the entity's possession has been acquired by a person whom the entity knows has not been authorized to acquire the personal information, the entity shall make reasonable efforts to notify each subject of the personal information. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
Wisconsin Data Breach Notification: SSN with CCN
*
Wisconsin Data Breach Notification: SSN with Wisconsin DL
*
Wisconsin Data Breach Notification: SSN with Account Number
*
Wisconsin Data Breach Notification: SSN with PIN Number
*
Wisconsin Data Breach Notification: SSN and Password (Wide)
*
Wisconsin Data Breach Notification: SSN and Password (Default)
*
Wisconsin Data Breach Notification: SSN and Password (Narrow)
*
Wisconsin Data Breach Notification: SSN with DNA profile
Wyoming Data Breach Notification
Wyoming Computer Security Breach related act, amended by SF 35 and 36 in 2015, requires that any person or business that conducts business in Wyoming and that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the data system, following discovery or notification of the breach, to any resident of Wyoming whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The policy detects combinations of Personally Identifiable Information (PII) like social security, credit card, and driver's license numbers. The rules for this policy are:
*
Wyoming Data Breach Notification: Account and Password
*
Wyoming Data Breach Notification: Name and CCN
*
Wyoming Data Breach Notification: Name and Password (Wide)
*
Wyoming Data Breach Notification: Name and Password (Default)
*
Wyoming Data Breach Notification: Name and Password (Narrow)
*
Wyoming Data Breach Notification: Name and SSN
*
Wyoming Data Breach Notification: Password Dissemination for HTTP Traffic (Wide)
*
Wyoming Data Breach Notification: Password Dissemination for HTTP Traffic (Default)
*
Wyoming Data Breach Notification: Password Dissemination for HTTP Traffic (Narrow)

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Forcepoint DLP Predefined Policies and Classifiers > Data Loss Prevention policies > Regulations, Compliance and Standards > United States of America - State Privacy Regulations
Copyright 2018 Forcepoint. All rights reserved.